packetsifterTool is to perform batch processing of PCAP data to uncover potential IOCs.
Simply initialize PacketSifter with your desired integrations (Virus Total, Abuse IPDB) and pass PacketSifter a pcap and the desired switches and PacketSifter will sift through the data and generate several output files.
Note Please run AbuseIPDBInitial.sh and VTInitial.sh prior to using their corresponding switches or the integrations will not work
05/27/2021
PacketSifter has been revamped to allow a more streamlined interaction with the user. Simply download the new updated packetsifter.sh, run ./packetsifter -h and learn how to properly use the new PacketSifter!
How It Works
Simply pass PacketSifter your pcap to analyze along with your desired flags and let PacketSifter do the work for you!
root@ubuntu:~# ./packetsifter -i /tmp/testing.pcap -a -r -v
OPTIONS:
tshark – https://tshark.dev/setup/install/
Currently, PacketSifter generates the following pcaps:
Currently, PacketSifter generates the following text files:
VirusTotal Integration output text files (all optional):
AbuseIPDB Integration output text files (optional):
Currently, PacketSifter generates the following tar.gz files:
PacketSifter can now perform hash lookups via VirusTotal API of exported objects found via SMB/HTTP.
Steps to configure PacketSifter with VirusTotal integration:
root@ubuntu:~# apt-get install jq
root@ubuntu:~# apt-get install curl
Successful output of VTInitial.sh is shown below:
Run PacketSifter with the -v flag to enable VirusTotal lookups of exported HTTP and SMB objects.
Successful output of VirusTotal integration and subsequent generated httpVTResults.txt / smbVTResults.txt shown below:
AbuseIPDB Integration
PacketSifter can perform IP Geo-location + IP reputation lookups of IP addresses returned in DNS A Records.
Steps to configure PacketSifter with AbuseIPDB integration:
root@ubuntu:~# apt-get install jq
root@ubuntu:~# apt-get install curl
**AbuseIPDB free API keys have a limit of 1000 lookups a day**
Successful output of AbuseIPDBInitial.sh is shown below:
Successful output of AbuseIPDB integration and subsequent generated IPLookupResults.txt shown below:
**Confidence Score is on a 0-100 percent confidence scale**
The cp command, short for "copy," is the main Linux utility for duplicating files and directories. Whether…
Introduction In digital investigations, images often hold more information than meets the eye. With the…
The cat command short for concatenate, It is a fast and versatile tool for viewing and merging…
What is a Port? A port in networking acts like a gateway that directs data…
The ls command is fundamental for anyone working with Linux. It’s used to display the files and…
The pwd (Print Working Directory) command is essential for navigating the Linux filesystem. It instantly shows your…